[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: fsGroup vs. supplementalGroups

On Wed, Jun 22, 2016 at 12:14 PM, Alan Jones <ajones diamanti com> wrote:
I have a configuration for a PV/PVC with a block device that works in the default namespace with the fsGroup tag in the pod spec's securityContext.
I was able to create the pod in a non-default namespace with combination of 'openshift.io/scc: restricted' and a supplementalGroups tag with the same value; but this gave the firmilar permission denied error trying to write to the new directory.
Note, my image is not being built by OpenShift and has a particular user and group that runs out of the box.
1) Can you configure persistent block device storage for non-default projects?

PVs don't care what project they're used with, so yes. Project is not important here, but service account being a member of the right SCC does if you're trying to specify securityContext.
2) Do you need to build the container image for this configuration?

The container should generally be none the wiser as to how its storage is supplied.
3) Is support required in the volume driver to interpret 'supplementalGroups' separate from 'fsGroup'?
    (I don't see any reference to 'supplementalGroups' in k8s volume code where I do see 'fsGroup'.)

Don't know. I think supplementalGroups is an OpenShift addition. Note under:
"The supplementalGroups IDs are typically used for controlling access to shared storage, such as NFS and GlusterFS, whereas fsGroup is used for controlling access to block storage, such as Ceph RBD and iSCSI."
I don't know if this means supplemental groups are *ignored* for the purposes of block storage...

Thank you!

dev mailing list
dev lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]